Privacy Policy
GoodRevyu ("we") places the highest importance on protecting your personal information. This policy describes what we collect, why we use it and the rights granted to you by Quebec's Act respecting the protection of personal information in the private sector (Law 25) and applicable Canadian laws.
1. Privacy Officer
A Privacy Officer oversees compliance with this policy. For any question, write to [email protected].
2. Information we collect
- Account: name, email, password (hashed), organization, language.
- Reviews and replies: reviews imported from your connected platforms (content, rating, public author) and generated replies.
- Platform connections: third-party access tokens, encrypted at rest.
- Usage: AI reply and API call volumes, audit log of important actions.
- Cookies: essential cookies and, with your consent, audience-measurement cookies (see the cookie policy).
3. Purposes of use
- Provide and operate the service (reply generation, review management).
- Ensure security, prevent fraud and meet our legal obligations.
- Bill your subscription (via Stripe).
- Improve the service, in an aggregated and anonymized way.
We never sell your personal information and do not use it to train AI models.
4. Providers and processors
We rely on processors that handle information on our behalf:
| Processor | Purpose | Region |
|---|---|---|
| Anthropic (Claude) | AI reply generation | United States |
| Stripe | Subscription payments | United States / EU |
| Business Profile API (reviews) | United States | |
| Hetzner | Infrastructure hosting | European Union |
Google API data (Limited Use)
When a business connects its Google Business Profile account, GoodRevyu accesses, with
its consent (business.manage scope), its business locations and their
reviews, in order to display those reviews and publish the business's replies.
GoodRevyu's use and transfer of information received from Google APIs adheres to the
Google API Services User Data Policy,
including its Limited Use requirements. Specifically:
- this data is used only to provide the review-management and response feature requested by the business;
- we do not sell it, and transfer it to third parties only to provide the service, for security or legal reasons, or with your consent;
- we do not use it for advertising, nor to train generalized AI models;
- Google access tokens are encrypted at rest; you can disconnect your account at any time, which immediately revokes our access.
5. Disclosure outside Quebec
Our data is hosted in the Union européenne (Hetzner). Some processors (Anthropic, Google, Stripe) may process information in the United States. In accordance with section 17 of Law 25, we have assessed these transfers and put in place contractual measures to ensure adequate protection. A register of transfers outside Quebec is maintained.
6. Retention
Reviews and replies are kept as long as your account is active. Upon termination, they are deleted within 30 days. Logs required for our legal obligations may be kept longer, then destroyed.
7. Your rights
Law 25 grants you the following rights, exercisable from your dashboard or by email:
- Access and portability: obtain a copy of your data (full JSON export).
- Rectification: correct inaccurate information.
- Erasure: request deletion of your data and closure of the account.
- Consent withdrawal: at any time, for non-essential purposes.
8. Security
Watertight multi-tenant architecture, encryption at rest (AES-256-GCM) of tokens and secrets, hashed passwords (bcrypt), parameterized SQL queries, security headers, audit log. As no measure is infallible, we will notify you of any confidentiality incident in accordance with Law 25.
9. Changes
We may update this policy. The version in force is shown at the top of the page.